When considering lawful grounds of processing data you should remember that the responsibility of proving each route lies with the controller (person processing the data). Neither the data subject or the regulator have responsibility to prove anything.
Your default thinking should be that all data processing is unlawful until proved to be otherwise.